Fix using htmlspecialchars() whit the $double_encode parameter. PHP < 5.4 doesn't validate the entities.

Props miqrogroove. Fixes #17780.

git-svn-id: https://develop.svn.wordpress.org/trunk@32851 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/formatting.php

@@ -688,6 +688,12 @@ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = fals
 		$quote_style = ENT_NOQUOTES;
 	}
 
+	if ( ! $double_encode ) {
+		// Guarantee every &entity; is valid, convert &garbage; into &garbage;
+		// This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
+		$string = wp_kses_normalize_entities( $string );
+	}
+
 	$string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode );
 
 	// Backwards compatibility

tests/phpunit/tests/formatting/EscHtml.php

@@ -34,7 +34,7 @@ class Tests_Formatting_EscHtml extends WP_UnitTestCase {
 
 	function test_ignores_existing_entities() {
 		$source = '& £ " &';
-		$res = '& £ " &';
+		$res = '& £ " &';
 		$this->assertEquals( $res, esc_html($source) );
 	}
 }

tests/phpunit/tests/formatting/WPSpecialchars.php

@@ -85,7 +85,7 @@ class Tests_Formatting_WPSpecialchars extends WP_UnitTestCase {
 		return array(
 			array(
 				'This & that, this & that, — " " Ú   " " " " " $ ×',
-				'This & that, this & that, — " " Ú   " " " " " $ ×',
+				'This & that, this & that, — " " Ú   " " " " " $ ×',
 			),
 			array(
 				'&& && && &;',